Steps to generate CSR for ESXi certificate when disconnected from vCenter
search cancel

Steps to generate CSR for ESXi certificate when disconnected from vCenter

book

Article ID: 419270

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

The ESXi host is disconnected from vCenter, and the vpxd certificate mode is set to custom. These steps outline how to generate CSR for an ESXi when disconnected from vCenter

Environment

VMware vSphere ESXi 8.x

Cause

The ESXi host certificate has expired

Resolution

To generate a certificate request for an ESXi host:

1) Edit the openssl.cfg file in ESXI host, If file not available then create new and edit the content as mentioned below( We can create in any /tmp/ location as well and provide path accordingly while running command) :

Note: Replace the code in Red with the details of the system requiring the SSL certificates (vi openssl.cfg): 

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:<esxi_fqdn>, IP:<esxi_ip_address>, DNS:<esxi_shortname>


[ req_distinguished_name ]
countryName = <Country_Code>
stateOrProvinceName = <State>
localityName = <City>
0.organizationName = <Company_Name>
organizationalUnitName = <Department_Name>
commonName = <esxi_fqdn>

2) Execute the command:

openssl req -new -nodes -out rui.csr -keyout rui.key -config openssl.cfg




 

 

Additional Information

To replace the certificate with ESXi certificates with custom certificates after signing it, follow KB 340017

Powered by Wolken Software